Our architecture is built on top of Amazon AWS frameworks to enable best practice protection controls, implemented based on industry standards. We process only the minimum personal data required to provide app functionality to merchants and are compliant with the General Data Protection Regulation (GDPR).
Please see below the technical details on how we encrypt and handle data at each stage of our application:
The server-side link tracking script runs on every page load of the merchant store. When it detects a referral link click, it generates a signed HMAC token and injects it into the HTML.
When the client-side link tracking script receives this token, it consults with the Shopify Customer Privacy API on whether we have cookie consent from the user, and if we do, it sets the tracking cookie. If the server-side link tracking script is not installed, the client-side link tracking script can detect a link click and generate a weaker token to use as a cookie.
When the client-side checkout tracking script detects a tracking cookie, it sends checkout information to our backend to track the referral.
Checkout information = order ID and clicker metadata: IP, user agent, click time
DATA HOSTING & ENCRYPTION
Simple Affiliate stores data and backups with the Amazon AWS RDS and S3 services, which are located in the United States.
DATA AT REST
Data stored in Amazon S3 buckets, encrypted with SSE-S3 - S3 managed encryption keys
database backups (retained for two years)
checkout logs for link tracking (retained for two years)
application logs (retained for two years)
server access logs (retained for two years)
internal reports created by our employees (retained for two years)
Data stored in Amazon RDS, encrypted with AWS-managed keys:
logs of Shopify webhooks and all outgoing emails (retained for two years)
production backups (retained for seven days, primary backups are in S3)
DATA IN TRANSIT
The Simple Affiliate user interface runs on the user's computer in a web browser. All communication between this browser application and the Simple Affiliate server occurs over a connection encrypted by TLSv1.2_2021.
SEPARATION OF TEST DATA
Testing and staging environments are logically separated from the Production environment. No production data is used in our development or test environments.
Simple Affiliate's Production Environment uses role-based (RBAC) security architecture requiring users to be authenticated and authorized before accessing any system resources. Resources are protected using industry-standard tools. Access to data is logged to ensure all access is appropriate.
DATA LOSS PREVENTION
Non-Log Production data are replicated among discrete operating environments to protect the availability of Simple Affiliate's service in the event of catastrophic events. The available Simple Affiliate data archiving service mitigates data loss for customer logs in the event of catastrophic events.
SECURITY INCIDENT RESPONSE
Simple Affiliate has established policies and procedures for responding to potential security incidents. All incidents are managed by Simple Affiliate's Incident Response Team. Simple Affiliate defines the events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.